[apparmor] [patch] Change SignalRule to use AARE instead of plain strings
Christian Boltz
apparmor at cboltz.de
Mon Nov 16 20:50:04 UTC 2015
Hello,
Am Samstag, 24. Oktober 2015 schrieb Christian Boltz:
> $subject.
>
> Also adjust test-signal for AARE (it needed a change in
> _compare_obj()) and enable the regex-based tests.
Here's v2. with the following changes:
- hand over log_event when creating the AARE object
- use self.peer.is_equal() instead of comparing .regex
[ 16-signal-rule-use-aare.diff ]
=== modified file ./utils/apparmor/rule/signal.py
--- utils/apparmor/rule/signal.py 2015-11-16 21:26:38.034344249 +0100
+++ utils/apparmor/rule/signal.py 2015-11-16 21:32:54.104210992 +0100
@@ -14,6 +14,7 @@
import re
+from apparmor.aare import AARE
from apparmor.regex import RE_PROFILE_SIGNAL, RE_PROFILE_NAME
from apparmor.common import AppArmorBug, AppArmorException
from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, quote_if_needed
@@ -98,7 +99,7 @@
elif type(peer) == str:
if len(peer.strip()) == 0:
raise AppArmorBug('Passed empty peer to SignalRule: %s' % str(peer))
- self.peer = peer # XXX use AARE
+ self.peer = AARE(peer, False, log_event=log_event)
else:
raise AppArmorBug('Passed unknown object to SignalRule: %s' % str(peer))
@@ -182,7 +183,7 @@
if self.all_peers:
peer = ''
elif self.peer:
- peer = ' peer=%s' % quote_if_needed(self.peer) # XXX use AARE
+ peer = ' peer=%s' % quote_if_needed(self.peer.regex)
else:
raise AppArmorBug('Empty signal in signal rule')
@@ -197,7 +198,7 @@
if not other_rule.signal and not other_rule.all_signals:
raise AppArmorBug('No signal specified in other signal rule')
- if not other_rule.peer and not other_rule.all_peers: # XXX use AARE
+ if not other_rule.peer and not other_rule.all_peers:
raise AppArmorBug('No peer specified in other signal rule')
if not self.all_accesss:
@@ -215,7 +216,7 @@
if not self.all_peers:
if other_rule.all_peers:
return False
- if other_rule.peer != self.peer: # XXX use AARE
+ if not self.peer.match(other_rule.peer.regex):
return False
# still here? -> then it is covered
@@ -235,8 +236,10 @@
or self.all_signals != rule_obj.all_signals):
return False
- if (self.peer != rule_obj.peer # XXX switch to AARE
- or self.all_peers != rule_obj.all_peers):
+ if self.all_peers != rule_obj.all_peers:
+ return False
+
+ if self.peer and not self.peer.is_equal(rule_obj.peer):
return False
return True
@@ -255,7 +258,7 @@
if self.all_peers:
peer = _('ALL')
else:
- peer = self.peer # XXX use AARE
+ peer = self.peer.regex
return [
_('Access mode'), access,
=== modified file ./utils/test/test-signal.py
--- utils/test/test-signal.py 2015-11-16 21:26:38.034344249 +0100
+++ utils/test/test-signal.py 2015-11-16 00:14:05.371336371 +0100
@@ -35,7 +35,10 @@
self.assertEqual(expected.audit, obj.audit)
self.assertEqual(expected.access, obj.access)
self.assertEqual(expected.signal, obj.signal)
- self.assertEqual(expected.peer, obj.peer)
+ if obj.peer:
+ self.assertEqual(expected.peer, obj.peer.regex)
+ else:
+ self.assertEqual(expected.peer, obj.peer)
self.assertEqual(expected.all_accesss, obj.all_accesss)
self.assertEqual(expected.all_signals, obj.all_signals)
self.assertEqual(expected.all_peers, obj.all_peers)
@@ -386,8 +389,8 @@
('signal,' , [ False , False , False , False ]),
('signal send,' , [ False , False , False , False ]),
('signal send peer=/foo/bar,' , [ True , True , True , True ]),
- #('signal send peer=/foo/*,' , [ False , False , True , True ]), # XXX
- #('signal send peer=/**,' , [ False , False , True , True ]), # XXX
+ ('signal send peer=/foo/*,' , [ False , False , False , False ]),
+ ('signal send peer=/**,' , [ False , False , False , False ]),
('signal send peer=/what/*,' , [ False , False , False , False ]),
('signal peer=/foo/bar,' , [ False , False , False , False ]),
('signal send, # comment' , [ False , False , False , False ]),
@@ -413,19 +416,19 @@
# rule equal strict equal covered covered exact
('signal,' , [ False , False , False , False ]),
('signal send,' , [ False , False , False , False ]),
- #('signal send peer=/foo/bar,' , [ False , False , True , True ]), # XXX several AARE tests
- #('signal send peer=/foo/*,' , [ False , False , True , True ]),
- #('signal send peer=/**,' , [ False , False , True , True ]),
- #('signal send peer=/what/*,' , [ False , False , True , True ]),
+ ('signal send peer=/foo/bar,' , [ False , False , True , True ]),
+ ('signal send peer=/foo/*,' , [ False , False , True , True ]),
+ ('signal send peer=/**,' , [ False , False , True , True ]),
+ ('signal send peer=/what/*,' , [ False , False , True , True ]),
('signal peer=/foo/bar,' , [ False , False , False , False ]),
('signal send, # comment' , [ False , False , False , False ]),
('allow signal send,' , [ False , False , False , False ]),
- #('allow signal send peer=/foo/bar,' , [ False , False , True , True ]),
+ ('allow signal send peer=/foo/bar,' , [ False , False , True , True ]),
('signal send,' , [ False , False , False , False ]),
- #('signal send peer=/foo/bar,' , [ False , False , True , True ]),
- #('signal send peer=/what/ever,' , [ False , False , True , True ]),
+ ('signal send peer=/foo/bar,' , [ False , False , True , True ]),
+ ('signal send peer=/what/ever,' , [ False , False , True , True ]),
('signal send set=quit,' , [ False , False , False , False ]),
- #('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]),
+ ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]),
('audit signal send peer=/foo/bar,' , [ False , False , False , False ]),
('audit signal,' , [ False , False , False , False ]),
('signal receive,' , [ False , False , False , False ]),
Regards,
Christian Boltz
--
[dracut] I'm reluctant to waste time dealing with things like e.g.
modules.d/90crypt/cryptroot-ask.sh. That feels like boot.crypto which
was rightfully killed by systemd raising from the dead.
[Ludwig Nussel in opensuse-packaging]
More information about the AppArmor
mailing list